Description:
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS
Rationale:
To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.
Impact:
Deny HTTP requests according to the S3 bucket policy.
Default value:
By default, Amazon S3 allows both HTTP and HTTPS requests.
Pre-Requisite:
S3 bucket
Remediation:
Test Plan:
AWS Console Process
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Click on the bucket name you want to open.
Click on 'Permissions', then Click on Bucket Policy.
- Make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key "aws:SecureTransport": "false".
- Ensure that a policy is listed that matches:
'{ "Sid": <optional>,
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}'
Using AWS CLI:
List all of the S3 Buckets
aws s3 ls
Using the list of buckets run this command on each of them
aws s3api get-bucket-policy --bucket | grep aws:SecureTransport
Implementation Plan:
AWS Console Process
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Click on the bucket name you want to open.
Click on 'Permissions', then click on edit in Bucket Policy.
- Add this to the existing policy filling in the required information.
'{ "Sid": <optional>,
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}'Click on save changes.
Using the AWS Policy Generator:
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Click on the bucket name you want to open.
Click on 'Permissions', then click on edit in Bucket Policy.
Click on Policy Generator at the bottom of the Bucket Policy Editor.
- Select Policy Type: S3 Bucket Policy
- Add Statements. Effect = Deny, Principal = *, AWS Service = Amazon S3, Actions = *, Amazon Resource Name = <ARN of S3 bucket> and click add statement.
- Click on generate policy to generate the S3 policy.
- Copy the generated policy and paste it in the bucket policy section.
- Click on save changes.
Using AWS CLI
Export the bucket policy to a JSON file.
aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json
Modify the policy.json file by adding in this statement:
'{ "Sid": <optional>,
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}'
Apply the modified policy back to the S3 bucket.
aws s3api put-bucket-policy --bucket <bucket-name> --policy file://policy.json
Backout Plan:
AWS Console Process
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Click on the bucket name you want to open.
- Click on 'Permissions', then click on Delete in Bucket Policy.
Using AWS CLI
aws s3api delete-bucket-policy --bucket <bucket-name>
Reference:
s3api — AWS CLI 2.11.11 Command Reference